<none>

URL Shorteners Must Die

URL shorteners (such as bit.ly and tinyurl) have been called the "herpes of the web". Beyond just link-rot, a public shortening service is per se an open redirect vulnerability. Their ubiquity makes them an easy vector for spammers, phishers, and cross-site forgery attacks.

With a shortening service, you're adding something that acts like a third DNS resolver, except one that is assembled out of unvetted PHP and MySQL, without the benevolent oversight of luminaries like Dan Kaminsky and St. Postel.

Luckily, you don't have to contribute to this scourge.

Drupal 7 has adopted the shortlink microformat, which adds a <head> element like so:

When we rebuilt our site in D7, we decided to ditch bit.ly in favor of these built-in shortlinks. However, I also felt the /node/ piece of the path was superfluous, and even strange-looking to visitors outside the Drupal community.

So, we decided to shorten them even further, removing both the "www" and /node/ from the URL. This required only a few minor changes:

.htaccess

Care was taken not to add the "www" prefix for these shortlinks, because doing so would result in multiple redirects (which still works, but is inefficient).

Redirect node/NNN to the alias

The next piece was to redirect to the actual path alias. At the time this site was built, neither the Global Redirect module nor it's successor Redirect, were deemed production-ready, so we rolled our own interim solution:

$base_url

Lastly, we made sure to explicitly set $base_url in settings.php. This ensures that when the Location header set, it uses the correct domain including the "www", again avoiding inefficient multiple redirects.

But the XSRF issues that you describe have little to do with shorteners. How often do you check the destination of a link by looking down at the status bar before you click it? A shortener does little to improve the success rate of an attack.

Easier still, an attacker can just get you to go to a page that has an img tag where the src is the XSRF URL.

shorturl looks excellent as well. As a matter of taste, I thought the /NNN numeric paths looked less strange than the encoded output of shorturl (which uses letters and digits). But shorturl definitely has some advantages, especially if you have a larger number of nodes.

shorturl also allows you to create redirects for any URL, even external sites - not just nodes. This isn't a feature we really needed but I can see the utility of it.

Seems like you should be able to get the same information from our Google Analytics - that'll tell you what percentage of your traffic came through Twitter, Facebook, etc. Or are you looking for some other bit of information?

I had coded the 'redirect to canonical URL feature' in redirect.module but at one point it didn't work, so I had commented it out. I went back today after reading this, tested it, and confirmed it's working again. I've also filed a patch for redirect.module to support the nid short-link redirect. http://drupal.org/node/933888

About the Author

Dylan Tack, Director of Technology

Dylan is a software engineer with more than a decade of experience working with a wide variety of clients including the Linux Foundation, PBS, Habitat for Humanity, TV.com and the Emmys. His background includes training as an electrical engineer, but he became passionate about open source through his work with a university genetics lab.

Dylan is a proud member of the Drupal community, a member of the Drupal security team, and has extensive experience with Perl and Java. His other interests include computer security, embedded design, climbing, and brewing.